US12330693B2 - Safety control method and apparatus for autonomous driving assistance system - Google Patents

Safety control method and apparatus for autonomous driving assistance system Download PDF

Info

Publication number
US12330693B2
US12330693B2 US18/166,716 US202318166716A US12330693B2 US 12330693 B2 US12330693 B2 US 12330693B2 US 202318166716 A US202318166716 A US 202318166716A US 12330693 B2 US12330693 B2 US 12330693B2
Authority
US
United States
Prior art keywords
event
failure rate
rfim
driving assistance
autonomous driving
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US18/166,716
Other versions
US20230271633A1 (en
Inventor
Ashton Sun
Jingyao ZHANG
Peng GE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Assigned to ROBERT BOSCH GMBH reassignment ROBERT BOSCH GMBH ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GE, Peng, SUN, ASHTON, ZHANG, Jingyao
Publication of US20230271633A1 publication Critical patent/US20230271633A1/en
Application granted granted Critical
Publication of US12330693B2 publication Critical patent/US12330693B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/005Handover processes
    • B60W60/0053Handover processes from vehicle to occupant
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W40/00Estimation or calculation of non-directly measurable driving parameters for road vehicle drive control systems not related to the control of a particular sub unit, e.g. by using mathematical models
    • B60W40/08Estimation or calculation of non-directly measurable driving parameters for road vehicle drive control systems not related to the control of a particular sub unit, e.g. by using mathematical models related to drivers or passengers
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/001Planning or execution of driving tasks
    • B60W60/0015Planning or execution of driving tasks specially adapted for safety
    • B60W60/0018Planning or execution of driving tasks specially adapted for safety by employing degraded modes, e.g. reducing speed, in response to suboptimal conditions
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/001Planning or execution of driving tasks
    • B60W60/0015Planning or execution of driving tasks specially adapted for safety
    • B60W60/0018Planning or execution of driving tasks specially adapted for safety by employing degraded modes, e.g. reducing speed, in response to suboptimal conditions
    • B60W60/00186Planning or execution of driving tasks specially adapted for safety by employing degraded modes, e.g. reducing speed, in response to suboptimal conditions related to the vehicle
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/005Handover processes
    • B60W60/0059Estimation of the risk associated with autonomous or manual driving, e.g. situation too complex, sensor failure or driver incapacity
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2540/00Input parameters relating to occupants
    • B60W2540/229Attention level, e.g. attentive to driving, reading or sleeping
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2540/00Input parameters relating to occupants
    • B60W2540/26Incapacity
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60YINDEXING SCHEME RELATING TO ASPECTS CROSS-CUTTING VEHICLE TECHNOLOGY
    • B60Y2302/00Responses or measures related to driver conditions
    • B60Y2302/05Leading to automatic stopping of the vehicle

Definitions

  • the present disclosure relates to the field of vehicle safety control, and more particularly, to a safety control method and apparatus for an autonomous driving assistance system, a computer storage medium, a computer program product, and a vehicle.
  • ISO 26262 and ISO DIS 21448 are industry standards for functional safety and the safety of the intended functionality of automotive electronic/electrical systems.
  • the functional safety refers to “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electronic/electrical systems”. That is, the functional safety focuses on whether the system, after systematic failures, can enter a safe state to avoid greater hazards, or reduce the probability of occurrence of hazards by means of safety measures, rather than the original function or performance of the system.
  • the safety of the intended functionality refers to “the absence of unreasonable risk due to hazards caused by functional insufficiencies of the intended functionality or by foreseeable misuse by persons”. That is, the safety of the intended functionality focuses on the functional insufficiencies of the intended functionality at the vehicle level, performance limitation of electronic/electrical elements in the system, and misuse by drivers, rather than hazards resulting from failures of electronic/electrical systems. Therefore, for the reliability and safety of an autonomous driving assistance system, the relevant assistance functions must comply with both of the above two standards.
  • driver misuse does not directly result in hazards. Most likely, the driver misuse is combined with another system fault that occurs at the same time, so as to result in potential hazards, which essentially relates to the subject of the safety of the intended functionality (SOTIF).
  • SOTIF safety of the intended functionality
  • ISO 26262 recommends using FTA to perform quantitative analysis on random hardware failures.
  • SOTIF safety of the intended functionality
  • a safety control method for an autonomous driving assistance system comprising: receiving a status of a driver, so as to determine a reasonably foreseeable indirect misuse (RFIM) event; receiving a particular system event and/or system fault; and calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event, wherein it can be determined, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
  • RFIM reasonably foreseeable indirect misuse
  • the above method further comprises: changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate, and/or adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate.
  • the reasonably foreseeable indirect misuse (RFIM) event comprises: the driver being inattentive; the driver getting drowsy; and the driver not being present within the field of view of a driver monitoring system (DMS).
  • DMS driver monitoring system
  • the particular system event comprises: a vehicle being about to exceed a defined range of an operational design domain; and a vehicle being about to travel into an adjacent lane.
  • calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event comprises: calculating the failure rate according to the following formula:
  • risk factor * RFIM TTI 3600 ⁇ s , wherein ⁇ represents the failure rate, riskfactor represents a risk assessment factor determined according to the degree of severity of the particular system event and an exposure rating, and RFIM_TTI is a tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state.
  • represents the failure rate
  • riskfactor represents a risk assessment factor determined according to the degree of severity of the particular system event and an exposure rating
  • RFIM_TTI is a tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state.
  • sharply braking the vehicle for a short time causes the vehicle to enter the safe state.
  • changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate comprises: shortening a tolerant time interval for a reasonably foreseeable indirect misuse in the first human-machine interaction process if the failure rate exceeds a system safety requirement.
  • adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate comprises: increasing a detection accuracy rate of a driver monitoring system (DMS) if the failure rate exceeds a system safety requirement.
  • DMS driver monitoring system
  • a safety control apparatus for an autonomous driving assistance system, comprising: a first receiving device, for receiving a status of a driver, so as to determine a reasonably foreseeable indirect misuse (RFIM) event; a second receiving device, for receiving a particular system event and/or system fault; and a calculating device, for calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event, wherein it can be determined, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
  • RFIM reasonably foreseeable indirect misuse
  • the above apparatus further comprises: an adjustment device, for changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate, and/or for adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate.
  • the reasonably foreseeable indirect misuse (RFIM) event comprises: the driver being inattentive; the driver getting drowsy; and the driver not being present within the field of view of a driver monitoring system (DMS).
  • DMS driver monitoring system
  • the particular system event comprises: a vehicle being about to exceed a defined range of an operational design domain; and a vehicle being about to travel into an adjacent lane.
  • the calculating device calculates the failure rate according to the following formula:
  • risk factor * RFIM TTI 3600 ⁇ s , wherein ⁇ represents the failure rate, riskfactor represents a risk assessment factor determined according to the degree of severity of the particular system event and an exposure rating, and RFIM_TTI is a tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state.
  • represents the failure rate
  • riskfactor represents a risk assessment factor determined according to the degree of severity of the particular system event and an exposure rating
  • RFIM_TTI is a tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state.
  • the adjustment device is configured to shorten a tolerant time interval for a reasonably foreseeable indirect misuse in the first human-machine interaction process if the failure rate exceeds a system safety requirement.
  • the adjustment device is configured to increase a detection accuracy rate of a driver monitoring system (DMS) if the failure rate exceeds a system safety requirement.
  • DMS driver monitoring system
  • a computer storage medium comprising an instruction, wherein the instruction, when being run, implements the above method.
  • a computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the above method.
  • a vehicle comprising the above apparatus.
  • a status signal regarding a driver is received, so as to determine a reasonably foreseeable indirect misuse (RFIM) event, and a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event is calculated with reference to a degree of severity of a received particular system event and/or system fault, so as to determine whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
  • RFIM reasonably foreseeable indirect misuse
  • RFIM safety of the intended functionality
  • FIG. 1 shows a schematic flowchart of a safety control method for an autonomous driving assistance system according to an embodiment of the present disclosure
  • FIG. 2 shows a schematic structural view of a safety control apparatus for an autonomous driving assistance system according to an embodiment of the present disclosure.
  • FIG. 1 shows a schematic flowchart of a safety control method 1000 for an autonomous driving assistance system according to an embodiment of the present disclosure. As shown in FIG. 1 , the safety control method 1000 for an autonomous driving assistance system includes the following steps:
  • the “autonomous driving assistance system” may be an ADAS system, i.e., an advanced driver assistance system, which, at any time during traveling of a vehicle, utilizes various sensors (a millimeter-wave radar, a lidar, a monocular/binocular camera, and satellite navigation) installed on the vehicle to sense the surrounding environment, acquire data, and identify, detect, and track static and dynamic objects, and performs system computation and analysis with reference to navigation map data, so as to enable the driver to perceive a potential danger in advance, thereby effectively improving the comfort and safety of vehicle driving.
  • sensors a millimeter-wave radar, a lidar, a monocular/binocular camera, and satellite navigation
  • RFIM refers to reasonably foreseeable indirect misuse.
  • a reasonably foreseeable indirect misuse (RFIM) behavior/event does not directly cause a hazard, but may be combined with another system fault that occurs at the same time so as to cause a potential hazard.
  • a status of a driver is received, so as to determine a reasonably foreseeable indirect misuse (RFIM) event.
  • RFIM indirect misuse
  • the status of a driver can be analyzed comprehensively according to driving behaviors, driving styles, vehicle characteristics, environmental conditions, etc., and can also be inferred from physiological factors, external expressions, and emotional factors.
  • a driver monitoring system can be used to detect the status of the driver or receive information related to the status of the driver.
  • the reasonably foreseeable indirect misuse (RFIM) event includes: the driver being inattentive; the driver getting drowsy; and the driver not being present within the field of view of the driver monitoring system (DMS). Therefore, in this embodiment, the purpose of monitoring or surveillance performed by the driver monitoring system is to detect distraction, fatigue, or drowsiness of the driver and to monitor for a situation when the driver is not within the field of view of the driver monitoring system (DMS), for example, when cheating the driving assistance system by placing mineral water instead of the hands on the steering wheel, or when quarreling and fighting with a passenger, or the like. In the research and development stage of autonomous driving, monitoring drivers can provide first-hand data of driving behaviors, which can even be used in emulation and simulation systems.
  • a non-intrusive method is the preferred method to be used by the driver monitoring system, and a vision-based system is especially attractive.
  • Primary visual cues include facial features, hand features, or body features.
  • the driver monitoring system may be a real-time system that investigates the physical and psychological statuses of the driver on the basis of facial image processing performed on the driver.
  • the driver monitoring system can detect the status of the driver according to closing of the eyelids, blinking, the direction of gaze, yawning, head movement, etc.
  • extracted symptoms related to fatigue, distraction, and drowsiness include: 1) symptoms associated with the ocular region: eye closing, the distance between the eyelids, rapid blinking, the direction of gaze, and saccadic eye movements; 2) symptoms associated with the mouth region: opening/closing; 3) symptoms associated with the head: nodding, the orientation of the head, and the head being motionless; and 4) symptoms associated with the face: mainly expressions.
  • a particular system event and/or system fault is received.
  • the particular system event may include: a vehicle being about to exceed a defined range of an operational design domain (ODD); and a vehicle being about to travel into an adjacent lane.
  • ODD operational design domain
  • the degree of severity of a vehicle being about to travel into an adjacent lane is greater than the degree of severity of a vehicle being about to exceed a defined range of an operational design domain (ODD).
  • different system faults can be detected by sensor-level and system-level software and hardware monitoring, and can be distinguished according to the degrees of severity.
  • step S 130 with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event is calculated.
  • step S 130 may include calculating the failure rate according to the following formula:
  • a slight system fault or a particular event in which the vehicle is going to exceed a defined range of an operational design domain if the exposure rating is assumed to be 3, it can be determined that the range of the risk assessment (calculation) factor riskfactor is from 0.01 to 0.1.
  • the tolerant time interval for a reasonably foreseeable indirect misuse is 16 s, so that the finally acquired range of the failure rate ⁇ is from 4 ⁇ 10 ⁇ 5 to 4 ⁇ 10 ⁇ 4 /h.
  • the exposure rating is assumed to be 3
  • the range of the risk assessment (calculation) factor riskfactor is 0.1.
  • the tolerant time interval for a reasonably foreseeable indirect misuse is 4 s, so that the finally acquired range of the failure rate ⁇ is 1 ⁇ 10 ⁇ 4 /h.
  • RFIM_TTI is the tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state (after intervention) (or represents, in the absence of a misuse intervention mechanism, a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when a situation or event resulting in a hazard event occurs).
  • driver misuse for example, the line of sight of the driver is moved away from the road
  • ISO 26262 dormant failure defined by ISO 26262. If no driver misuse prevention mechanism is implemented in the autonomous driving assistance system, then after a certain time (an RFIM time), a second fault will occur in the system.
  • Such kind of fault may be that the vehicle travels into an adjacent lane.
  • the fault results in potential danger (e.g., collision with a vehicle in an adjacent lane or across a road fence), because the driver does not monitor road conditions actively, and cannot take over promptly.
  • an RFIM duration varies greatly, specifically depending on a road segment in which the ego-vehicle is traveling, in-vehicle sensors, and vehicle performance.
  • a safety mechanism may be implemented (for example, a driver monitoring system (DMS) is employed) in the autonomous driving assistance system so as to prevent driver misuse.
  • the DMS typically has a de-dithering time (e.g., 300 ms to 500 ms) corresponding to an RFIM detection time interval (RFIM-DTI).
  • RFIM-DTI RFIM detection time interval
  • RFIM-RTI RFIM reaction time interval
  • a total RFIM handling time interval is the sum of the RFIM-DTI and the RFIM-RTI, and should be shorter than a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when a situation or event resulting in a hazard event occurs in the absence of a misuse intervention mechanism.
  • a feasible safe state of the system may be sudden (short-time) braking for alerting the driver, so that he/she restores manual control of the vehicle. This is because sharp braking has been proven to be one of the most effective measures to make the driver resume the driving task.
  • the above method 1000 further includes: changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate, and/or adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate.
  • the first human-machine interaction process may be as follows: upon detecting a driver misuse event, and upon detecting a slight system fault or the vehicle being about to exceed a defined range of an operational design domain (ODD), the autonomous driving assistance system still continues performing full function operation for a period of time t (e.g., 3 s), and then if the above conditions are still met (that is, the driver misuse event is detected, and the slight system fault or the vehicle being about to exceed the defined range of the operational design domain (ODD) is detected), multiple levels of alerts are triggered in sequence.
  • t e.g. 3 s
  • a first-level alert for example, an alert issued by means of a text message on a screen
  • a second-level alert is further triggered in a second time period T2
  • the system triggers a take-over request by means of a flickering status bar on the steering wheel, an icon on the dashboard, and a swooshing sound.
  • the system enhances all of the second-level alerts by increasing the frequencies and volumes thereof in a third time period T3.
  • a transient and sudden braking impact is triggered in a fourth time period T4 to alert the driver.
  • failure rate calculated according to equation (1) is greater than a failure rate allowable by system safety (i.e., exceeding the system safety requirement), it may be considered to shorten the tolerant time interval for a reasonably foreseeable indirect misuse in the first human-machine interaction process. In the above embodiment, it may be considered to shorten any one of t, T1, T2, and T3.
  • the reliability of the autonomous driving assistance system may be adjusted on the basis of the failure rate. For example, if the failure rate exceeds a system safety requirement, a detection accuracy rate of the driver monitoring system (DMS) is increased (for example, improving a detection algorithm of a sensor, utilizing a sensor having higher precision, and so on).
  • DMS driver monitoring system
  • the safety control method for an autonomous driving assistance system may be implemented by a computer program.
  • the computer program is included in a computer program product, and when executed by a processor, the computer program implements the safety control method for an autonomous driving assistance system according to one or more embodiments of the present disclosure.
  • a computer storage medium e.g., a USB flash drive
  • the safety control method for an autonomous driving assistance system according to one or more embodiments of the present disclosure can be implemented by executing the computer program.
  • FIG. 2 shows a schematic structural view of a safety control apparatus 2000 for an autonomous driving assistance system according to an embodiment of the present disclosure.
  • the safety control apparatus 2000 for an autonomous driving assistance system includes: a first receiving device 210 , a second receiving device 220 , and a calculating device 230 .
  • the first receiving device 210 is for receiving a status signal regarding a driver, so as to determine a reasonably foreseeable indirect misuse (RFIM) event.
  • the second receiving device 220 is for receiving a particular system event and/or system fault.
  • the calculating device 230 is for calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event, wherein it can be determined, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
  • RFIM reasonably foreseeable indirect misuse
  • the above apparatus 2000 further includes: an adjustment device, for changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate, and/or for adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate.
  • a status of a driver is received, so as to determine a reasonably foreseeable indirect misuse (RFIM) event, and a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event is calculated with reference to a degree of severity of a received particular system event and/or system fault, so as to determine whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
  • This solution enables safety experts and developers to quantitatively (rather than qualitatively) assess a SOTIF-related risk, so as to determine as required, according to the failure rate, whether system design needs to be modified.
  • the safety control solution for an autonomous driving assistance system according to the embodiments of the present disclosure not only ensures an intelligent driving system to meet reliability and safety requirements, but also facilitates shortening of a development cycle of an autonomous driving assistance system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Traffic Control Systems (AREA)

Abstract

A safety control method for an autonomous driving assistance system includes: receiving a status signal regarding a driver so as to determine a reasonably foreseeable indirect misuse (RFIM) event; receiving a particular system event and/or system fault; and calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event, wherein it can be determined, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.

Description

This application claims priority under 35 U.S.C. § 119 to application no. CN 202210190318.5, filed on Feb. 28, 2022 in China, the disclosure of which is incorporated herein by reference in its entirety.
FIELD
The present disclosure relates to the field of vehicle safety control, and more particularly, to a safety control method and apparatus for an autonomous driving assistance system, a computer storage medium, a computer program product, and a vehicle.
BACKGROUND
With fast development of intelligent connected vehicles and autonomous vehicles, designing highly reliable and safe vehicle electronic systems is attracting increasing attention from various parties, and functional safety and the safety of the intended functionality are indispensable to system design of autonomous vehicles. ISO 26262 and ISO DIS 21448 are industry standards for functional safety and the safety of the intended functionality of automotive electronic/electrical systems. The functional safety refers to “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electronic/electrical systems”. That is, the functional safety focuses on whether the system, after systematic failures, can enter a safe state to avoid greater hazards, or reduce the probability of occurrence of hazards by means of safety measures, rather than the original function or performance of the system. The safety of the intended functionality refers to “the absence of unreasonable risk due to hazards caused by functional insufficiencies of the intended functionality or by foreseeable misuse by persons”. That is, the safety of the intended functionality focuses on the functional insufficiencies of the intended functionality at the vehicle level, performance limitation of electronic/electrical elements in the system, and misuse by drivers, rather than hazards resulting from failures of electronic/electrical systems. Therefore, for the reliability and safety of an autonomous driving assistance system, the relevant assistance functions must comply with both of the above two standards.
For certain level-2 driving assistance functions, driver misuse does not directly result in hazards. Most likely, the driver misuse is combined with another system fault that occurs at the same time, so as to result in potential hazards, which essentially relates to the subject of the safety of the intended functionality (SOTIF).
ISO 26262 recommends using FTA to perform quantitative analysis on random hardware failures. However, no feasible quantitative analysis method is currently available for safety of the intended functionality (SOTIF)-related residual risks, so that it is difficult to implement the safety of the intended functionality in an actual project development process, thereby affecting the final product delivery quality.
SUMMARY
According to an aspect of the present disclosure, provided is a safety control method for an autonomous driving assistance system, comprising: receiving a status of a driver, so as to determine a reasonably foreseeable indirect misuse (RFIM) event; receiving a particular system event and/or system fault; and calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event, wherein it can be determined, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
As an addition or alternative to the above solution, the above method further comprises: changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate, and/or adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate.
As an addition or alternative to the above solution, in the above method, the reasonably foreseeable indirect misuse (RFIM) event comprises: the driver being inattentive; the driver getting drowsy; and the driver not being present within the field of view of a driver monitoring system (DMS).
As an addition or alternative to the above solution, in the above method, the particular system event comprises: a vehicle being about to exceed a defined range of an operational design domain; and a vehicle being about to travel into an adjacent lane.
As an addition or alternative to the above solution, in the above method, calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event comprises: calculating the failure rate according to the following formula:
λ = risk factor * RFIM TTI 3600 s ,
wherein λ represents the failure rate, riskfactor represents a risk assessment factor determined according to the degree of severity of the particular system event and an exposure rating, and RFIM_TTI is a tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state.
As an addition or alternative to the above solution, in the above method, sharply braking the vehicle for a short time causes the vehicle to enter the safe state.
As an addition or alternative to the above solution, in the above method, changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate comprises: shortening a tolerant time interval for a reasonably foreseeable indirect misuse in the first human-machine interaction process if the failure rate exceeds a system safety requirement.
As an addition or alternative to the above solution, in the above method, adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate comprises: increasing a detection accuracy rate of a driver monitoring system (DMS) if the failure rate exceeds a system safety requirement.
According to another aspect of the present disclosure, provided is a safety control apparatus for an autonomous driving assistance system, comprising: a first receiving device, for receiving a status of a driver, so as to determine a reasonably foreseeable indirect misuse (RFIM) event; a second receiving device, for receiving a particular system event and/or system fault; and a calculating device, for calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event, wherein it can be determined, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
As an addition or alternative to the above solution, the above apparatus further comprises: an adjustment device, for changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate, and/or for adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate.
As an addition or alternative to the above solution, in the above apparatus, the reasonably foreseeable indirect misuse (RFIM) event comprises: the driver being inattentive; the driver getting drowsy; and the driver not being present within the field of view of a driver monitoring system (DMS).
As an addition or alternative to the above solution, in the above apparatus, the particular system event comprises: a vehicle being about to exceed a defined range of an operational design domain; and a vehicle being about to travel into an adjacent lane.
As an addition or alternative to the above solution, in the above apparatus, the calculating device calculates the failure rate according to the following formula:
λ = risk factor * RFIM TTI 3600 s ,
wherein λ represents the failure rate, riskfactor represents a risk assessment factor determined according to the degree of severity of the particular system event and an exposure rating, and RFIM_TTI is a tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state.
As an addition or alternative to the above solution, in the above apparatus, sharply braking the vehicle for a short time causes the vehicle to enter the safe state.
As an addition or alternative to the above solution, in the above apparatus, the adjustment device is configured to shorten a tolerant time interval for a reasonably foreseeable indirect misuse in the first human-machine interaction process if the failure rate exceeds a system safety requirement.
As an addition or alternative to the above solution, in the above apparatus, the adjustment device is configured to increase a detection accuracy rate of a driver monitoring system (DMS) if the failure rate exceeds a system safety requirement.
According to yet another aspect of the present disclosure, provided is a computer storage medium, comprising an instruction, wherein the instruction, when being run, implements the above method.
According to yet another aspect of the present disclosure, provided is a computer program product, comprising a computer program, wherein the computer program, when executed by a processor, implements the above method.
According to yet another aspect of the present disclosure, provided is a vehicle, comprising the above apparatus.
In the safety control solution for an autonomous driving assistance system according to the embodiments of the present disclosure, a status signal regarding a driver is received, so as to determine a reasonably foreseeable indirect misuse (RFIM) event, and a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event is calculated with reference to a degree of severity of a received particular system event and/or system fault, so as to determine whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable. This solution enables safety experts and developers to quantitatively (rather than qualitatively) assess a SOTIF-related risk, so as to determine as required, according to the failure rate, whether system design needs to be modified.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing and other objectives and advantages of the present disclosure will be made more complete and clearer from the following detailed description provided with reference to the accompanying drawings, wherein the same or similar elements use the same reference numerals.
FIG. 1 shows a schematic flowchart of a safety control method for an autonomous driving assistance system according to an embodiment of the present disclosure; and
FIG. 2 shows a schematic structural view of a safety control apparatus for an autonomous driving assistance system according to an embodiment of the present disclosure.
 DETAILED DESCRIPTION
In the following, a safety control solution for an autonomous driving assistance system according to various exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings.
FIG. 1 shows a schematic flowchart of a safety control method 1000 for an autonomous driving assistance system according to an embodiment of the present disclosure. As shown in FIG. 1 , the safety control method 1000 for an autonomous driving assistance system includes the following steps:
    • step S110, receiving a status signal regarding a driver, so as to determine a reasonably foreseeable indirect misuse (RFIM) event;
    • step S120, receiving a particular system event and/or system fault; and
    • step S130, calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event, wherein it can be determined, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
In one or more embodiments of the present disclosure, the “autonomous driving assistance system” may be an ADAS system, i.e., an advanced driver assistance system, which, at any time during traveling of a vehicle, utilizes various sensors (a millimeter-wave radar, a lidar, a monocular/binocular camera, and satellite navigation) installed on the vehicle to sense the surrounding environment, acquire data, and identify, detect, and track static and dynamic objects, and performs system computation and analysis with reference to navigation map data, so as to enable the driver to perceive a potential danger in advance, thereby effectively improving the comfort and safety of vehicle driving.
In the context of the present disclosure, the term “RFIM” refers to reasonably foreseeable indirect misuse. A reasonably foreseeable indirect misuse (RFIM) behavior/event does not directly cause a hazard, but may be combined with another system fault that occurs at the same time so as to cause a potential hazard.
In step S110, a status of a driver is received, so as to determine a reasonably foreseeable indirect misuse (RFIM) event. Generally, the status of a driver can be analyzed comprehensively according to driving behaviors, driving styles, vehicle characteristics, environmental conditions, etc., and can also be inferred from physiological factors, external expressions, and emotional factors. In an embodiment, a driver monitoring system (DMS) can be used to detect the status of the driver or receive information related to the status of the driver.
In an embodiment, the reasonably foreseeable indirect misuse (RFIM) event includes: the driver being inattentive; the driver getting drowsy; and the driver not being present within the field of view of the driver monitoring system (DMS). Therefore, in this embodiment, the purpose of monitoring or surveillance performed by the driver monitoring system is to detect distraction, fatigue, or drowsiness of the driver and to monitor for a situation when the driver is not within the field of view of the driver monitoring system (DMS), for example, when cheating the driving assistance system by placing mineral water instead of the hands on the steering wheel, or when quarreling and fighting with a passenger, or the like. In the research and development stage of autonomous driving, monitoring drivers can provide first-hand data of driving behaviors, which can even be used in emulation and simulation systems.
A non-intrusive method is the preferred method to be used by the driver monitoring system, and a vision-based system is especially attractive. Primary visual cues include facial features, hand features, or body features. As an example, the driver monitoring system may be a real-time system that investigates the physical and psychological statuses of the driver on the basis of facial image processing performed on the driver. The driver monitoring system can detect the status of the driver according to closing of the eyelids, blinking, the direction of gaze, yawning, head movement, etc. For example, extracted symptoms related to fatigue, distraction, and drowsiness include: 1) symptoms associated with the ocular region: eye closing, the distance between the eyelids, rapid blinking, the direction of gaze, and saccadic eye movements; 2) symptoms associated with the mouth region: opening/closing; 3) symptoms associated with the head: nodding, the orientation of the head, and the head being motionless; and 4) symptoms associated with the face: mainly expressions.
In step S120, a particular system event and/or system fault is received. Here, the particular system event may include: a vehicle being about to exceed a defined range of an operational design domain (ODD); and a vehicle being about to travel into an adjacent lane. It can be understood that the degree of severity of a vehicle being about to travel into an adjacent lane is greater than the degree of severity of a vehicle being about to exceed a defined range of an operational design domain (ODD). Similarly, different system faults can be detected by sensor-level and system-level software and hardware monitoring, and can be distinguished according to the degrees of severity.
In step S130, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event is calculated. For example, step S130 may include calculating the failure rate according to the following formula:
λ = risk factor * RFIM TTI 3600 s , ( equation l )
    • wherein λ represents the failure rate, riskfactor represents a risk assessment factor determined according to the degree of severity of the particular system event and an exposure rating, and RFIM_TTI is a tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state.
In an embodiment, for a certain driving assistance function, regarding a slight system fault or a particular event in which the vehicle is going to exceed a defined range of an operational design domain (ODD), if the exposure rating is assumed to be 3, it can be determined that the range of the risk assessment (calculation) factor riskfactor is from 0.01 to 0.1. In addition, for said driving assistance function, when the slight system fault or the particular event in which the vehicle is going to exceed a defined range of an operational design domain (ODD) occurs, the tolerant time interval for a reasonably foreseeable indirect misuse is 16 s, so that the finally acquired range of the failure rate λ is from 4×10−5 to 4×10−4/h.
In another embodiment, for a certain driving assistance function, regarding a primary system fault or a particular event in which the vehicle is going to travel into an adjacent lane, if the exposure rating is assumed to be 3, it can be determined that the range of the risk assessment (calculation) factor riskfactor is 0.1. In addition, for said driving assistance function, when the primary system fault or the particular event in which the vehicle is going to travel into an adjacent lane occurs, the tolerant time interval for a reasonably foreseeable indirect misuse is 4 s, so that the finally acquired range of the failure rate λ is 1×10−4/h.
RFIM_TTI is the tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when the vehicle enters a safe state (after intervention) (or represents, in the absence of a misuse intervention mechanism, a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when a situation or event resulting in a hazard event occurs). For example, driver misuse (for example, the line of sight of the driver is moved away from the road) is similar to a dormant failure defined by ISO 26262. If no driver misuse prevention mechanism is implemented in the autonomous driving assistance system, then after a certain time (an RFIM time), a second fault will occur in the system. Such kind of fault may be that the vehicle travels into an adjacent lane. In this case, the fault results in potential danger (e.g., collision with a vehicle in an adjacent lane or across a road fence), because the driver does not monitor road conditions actively, and cannot take over promptly. In this case, an RFIM duration varies greatly, specifically depending on a road segment in which the ego-vehicle is traveling, in-vehicle sensors, and vehicle performance.
Different from the above example, in another example, a safety mechanism may be implemented (for example, a driver monitoring system (DMS) is employed) in the autonomous driving assistance system so as to prevent driver misuse. The DMS typically has a de-dithering time (e.g., 300 ms to 500 ms) corresponding to an RFIM detection time interval (RFIM-DTI). Upon detection of driver misuse, a corresponding system response is triggered before a safe state is reached. This period of time is referred to as an RFIM reaction time interval (RFIM-RTI). A total RFIM handling time interval (RFIM-HTI) is the sum of the RFIM-DTI and the RFIM-RTI, and should be shorter than a time span from occurrence of a reasonably foreseeable indirect misuse (RFIM) event to the time when a situation or event resulting in a hazard event occurs in the absence of a misuse intervention mechanism.
In addition, the so-called “safe state” refers to a safe operation mode free of risks at an unreasonable level caused by a certain fault. In an embodiment, a feasible safe state of the system may be sudden (short-time) braking for alerting the driver, so that he/she restores manual control of the vehicle. This is because sharp braking has been proven to be one of the most effective measures to make the driver resume the driving task.
In an embodiment, although not shown in FIG. 1 , the above method 1000 further includes: changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate, and/or adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate.
For example, the first human-machine interaction process may be as follows: upon detecting a driver misuse event, and upon detecting a slight system fault or the vehicle being about to exceed a defined range of an operational design domain (ODD), the autonomous driving assistance system still continues performing full function operation for a period of time t (e.g., 3 s), and then if the above conditions are still met (that is, the driver misuse event is detected, and the slight system fault or the vehicle being about to exceed the defined range of the operational design domain (ODD) is detected), multiple levels of alerts are triggered in sequence. For example, first, a first-level alert (for example, an alert issued by means of a text message on a screen) is triggered in a first time period T1, and if no improvement occurs, then a second-level alert is further triggered in a second time period T2 (for example, the system triggers a take-over request by means of a flickering status bar on the steering wheel, an icon on the dashboard, and a swooshing sound). Then, if the conditions are still met, then the system enhances all of the second-level alerts by increasing the frequencies and volumes thereof in a third time period T3. Then, if there is still no effect, then a transient and sudden braking impact is triggered in a fourth time period T4 to alert the driver. Finally, safe vehicle stopping is triggered in the system in a fifth time period T5. That is, the vehicle is stopped in the current lane at a relatively low deceleration rate. It can be understood that in the above human-machine interaction process, the tolerant time interval for a reasonably foreseeable indirect misuse RFIM_TTI=t+T1+T2+T3 (note: the detection time interval is not taken into consideration).
If the failure rate calculated according to equation (1) is greater than a failure rate allowable by system safety (i.e., exceeding the system safety requirement), it may be considered to shorten the tolerant time interval for a reasonably foreseeable indirect misuse in the first human-machine interaction process. In the above embodiment, it may be considered to shorten any one of t, T1, T2, and T3.
In another embodiment, the reliability of the autonomous driving assistance system may be adjusted on the basis of the failure rate. For example, if the failure rate exceeds a system safety requirement, a detection accuracy rate of the driver monitoring system (DMS) is increased (for example, improving a detection algorithm of a sensor, utilizing a sensor having higher precision, and so on).
That is, when such quantitative failure rate is employed to assess a safety of the intended functionality (SOTIF)-related residual risk, safety experts and developers are enabled to make a clear decision on this risk, so that system design can be adaptively adjusted as required.
Additionally, it would be readily appreciated by those skilled in the art that the safety control method for an autonomous driving assistance system provided by one or more embodiments of the present disclosure may be implemented by a computer program. For example, the computer program is included in a computer program product, and when executed by a processor, the computer program implements the safety control method for an autonomous driving assistance system according to one or more embodiments of the present disclosure. For another example, when a computer storage medium (e.g., a USB flash drive) storing the computer program is connected to a computer, the safety control method for an autonomous driving assistance system according to one or more embodiments of the present disclosure can be implemented by executing the computer program.
Referring to FIG. 2 , FIG. 2 shows a schematic structural view of a safety control apparatus 2000 for an autonomous driving assistance system according to an embodiment of the present disclosure. As shown in FIG. 2 , the safety control apparatus 2000 for an autonomous driving assistance system includes: a first receiving device 210, a second receiving device 220, and a calculating device 230. The first receiving device 210 is for receiving a status signal regarding a driver, so as to determine a reasonably foreseeable indirect misuse (RFIM) event. The second receiving device 220 is for receiving a particular system event and/or system fault. The calculating device 230 is for calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event, wherein it can be determined, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
Although not shown in FIG. 2 , in an embodiment, the above apparatus 2000 further includes: an adjustment device, for changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate, and/or for adjusting the reliability of the autonomous driving assistance system on the basis of the failure rate.
Those skilled in the art could understand that the above apparatus 2000 can be integrated into various vehicles or (in-vehicle) test apparatuses.
To sum up, in the safety control solution for an autonomous driving assistance system according to the embodiments of the present disclosure, a status of a driver is received, so as to determine a reasonably foreseeable indirect misuse (RFIM) event, and a failure rate related to the reasonably foreseeable indirect misuse (RFIM) event is calculated with reference to a degree of severity of a received particular system event and/or system fault, so as to determine whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable. This solution enables safety experts and developers to quantitatively (rather than qualitatively) assess a SOTIF-related risk, so as to determine as required, according to the failure rate, whether system design needs to be modified. The safety control solution for an autonomous driving assistance system according to the embodiments of the present disclosure not only ensures an intelligent driving system to meet reliability and safety requirements, but also facilitates shortening of a development cycle of an autonomous driving assistance system.
Although the above specification describes only some embodiments of the present disclosure, it would be appreciated by those of ordinary skill in the art that the present disclosure can be implemented in many other forms without departing from the spirit or scope thereof. Therefore, the illustrated examples and embodiments are considered to be illustrative.

Claims (12)

The invention claimed is:
1. A safety control method for an autonomous driving assistance system, comprising:
receiving a status signal regarding a driver so as to determine a reasonably foreseeable indirect misuse (RFIM) event;
receiving a particular system event and/or system fault; and
calculating, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the RFIM event; and
determining, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
2. The method according to claim 1, further comprising:
changing from a first human-machine interaction process in the autonomous driving assistance system to a second human-machine interaction process on the basis of the failure rate;
and/or adjusting a reliability of the autonomous driving assistance system on the basis of the failure rate.
3. The method according to claim 1, wherein the RFIM event comprises one of more of the following:
the driver being inattentive;
the driver getting drowsy; and
the driver not being present within the field of view of a driver monitoring system (DMS).
4. The method according to claim 1, wherein the particular system event and/or system fault comprises one or more of:
a vehicle being about to exceed a defined range of an operational design domain; and
a vehicle being about to travel into an adjacent lane.
5. The method according to claim 4, wherein the calculating of the failure rate related to the RFIM event comprises:
calculating the failure rate according to the formula:
λ = risk factor * RFIM TTI 3600 s ,
wherein λ represents the failure rate, riskfactor represents a risk assessment factor determined according to the degree of severity of the particular system event and an exposure rating, and RFIMTTI is a tolerant time interval for a reasonably foreseeable indirect misuse, and represents a time span from occurrence of the RFIM event to the time when the vehicle enters a safe state.
6. The method according to claim 5, wherein sharply braking the vehicle for a short time causes the vehicle to enter the safe state.
7. The method according to claim 2, wherein the changing from the first human-machine interaction process to the second human-machine interaction process comprises:
shortening a tolerant time interval for a reasonably foreseeable indirect misuse in the first human-machine interaction process if the failure rate exceeds a system safety requirement.
8. The method according to claim 2, wherein the adjusting of the reliability of the autonomous driving assistance system on the basis of the failure rate comprises:
increasing a detection accuracy rate of a driver monitoring system (DMS) if the failure rate exceeds a system safety requirement.
9. A safety control apparatus for an autonomous driving assistance system, comprising:
a first receiving device configured to receive a status signal regarding a driver and to determine a reasonably foreseeable indirect misuse (RFIM) event;
a second receiving device configured to receive a particular system event and/or system fault; and
a calculating device configured to calculate, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the RFIM event and to determine, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
10. A non-transitory computer storage medium, comprising program instructions configured to implement the method according to claim 1.
11. A computer program product comprising:
a computer program configured to be executed by a processor to implement the method according to claim 1.
12. A vehicle comprising:
a safety control apparatus for an autonomous driving assistance system, comprising:
a first receiving device configured to receive a status signal regarding a driver and to determine a reasonably foreseeable indirect misuse (RFIM) event;
a second receiving device configured to receive a particular system event and/or system fault; and
a calculating device configured to calculate, with reference to a degree of severity of the particular system event and/or system fault, a failure rate related to the RFIM event and to determine, on the basis of the failure rate, whether a safety of the intended functionality (SOTIF)-related residual risk in the autonomous driving assistance system is acceptable.
US18/166,716 2022-02-28 2023-02-09 Safety control method and apparatus for autonomous driving assistance system Active 2044-01-10 US12330693B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210190318.5 2022-02-28
CN202210190318.5A CN116691728A (en) 2022-02-28 2022-02-28 Safety control method and equipment for automatic driving auxiliary system

Publications (2)

Publication Number Publication Date
US20230271633A1 US20230271633A1 (en) 2023-08-31
US12330693B2 true US12330693B2 (en) 2025-06-17

Family

ID=87557241

Family Applications (1)

Application Number Title Priority Date Filing Date
US18/166,716 Active 2044-01-10 US12330693B2 (en) 2022-02-28 2023-02-09 Safety control method and apparatus for autonomous driving assistance system

Country Status (4)

Country Link
US (1) US12330693B2 (en)
JP (1) JP2023126184A (en)
CN (1) CN116691728A (en)
DE (1) DE102023200041A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130261949A1 (en) * 2010-12-22 2013-10-03 Saab Ab System and method for vehicle separation for a plurality of vehicles
US9463797B2 (en) * 2014-05-30 2016-10-11 Honda Research Institute Europe Gmbh Method and vehicle with an advanced driver assistance system for risk-based traffic scene analysis
US9886632B1 (en) * 2016-11-04 2018-02-06 Loveland Innovations, LLC Systems and methods for autonomous perpendicular imaging of test squares
US10872534B2 (en) * 2017-11-01 2020-12-22 Kespry, Inc. Aerial vehicle inspection path planning
US12181569B2 (en) * 2019-10-19 2024-12-31 Vortezon, Inc. System and method for detecting drones

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130261949A1 (en) * 2010-12-22 2013-10-03 Saab Ab System and method for vehicle separation for a plurality of vehicles
US9463797B2 (en) * 2014-05-30 2016-10-11 Honda Research Institute Europe Gmbh Method and vehicle with an advanced driver assistance system for risk-based traffic scene analysis
US9886632B1 (en) * 2016-11-04 2018-02-06 Loveland Innovations, LLC Systems and methods for autonomous perpendicular imaging of test squares
US10872534B2 (en) * 2017-11-01 2020-12-22 Kespry, Inc. Aerial vehicle inspection path planning
US12181569B2 (en) * 2019-10-19 2024-12-31 Vortezon, Inc. System and method for detecting drones

Also Published As

Publication number Publication date
JP2023126184A (en) 2023-09-07
US20230271633A1 (en) 2023-08-31
DE102023200041A1 (en) 2023-08-31
CN116691728A (en) 2023-09-05

Similar Documents

Publication Publication Date Title
US20190283764A1 (en) Vehicle driver state determination apparatus
CN112455453A (en) Driver state detection method, driver state detection device and computer-readable storage medium
JP6668814B2 (en) Automatic traveling control device and automatic traveling control system
WO2020131803A4 (en) Systems and methods for detecting and dynamically mitigating driver fatigue
CN112622930A (en) Unmanned vehicle driving control method, device and equipment and automatic driving vehicle
US11807277B2 (en) Driving assistance apparatus
Hester et al. “Driver take over”: A preliminary exploration of driver trust and performance in autonomous vehicles
TW201028311A (en) Lane departure warning method and system thereof
CN114348009A (en) Functional safety concept stage analysis method and brake control system
Atwood et al. Evaluate driver response to active warning system in level-2 automated vehicles
JP2016071492A (en) Factor analysis apparatus and factor analysis method
CN113119983A (en) Vehicle safety control method and device and vehicle
US20240208496A1 (en) Methods and systems for controlling a vehicle having a lane support system
Yamada et al. Preliminary study of behavioral and safety effects of driver dependence on a warning system in a driving simulator
US12330693B2 (en) Safety control method and apparatus for autonomous driving assistance system
US12539887B2 (en) Environment monitoring device for an autonomous vehicle that performs different vehicle responses based on violation of a plurality of safety envelopes
US20240253657A1 (en) Notification control device
CN118439055A (en) Fault processing method, device, equipment and storage medium
Glaser et al. Approaches for Developing and Evaluating Emerging Partial Driving Automation System HMIs
CN116572943B (en) Automatic parking safety requirement derivation method, device, vehicle and storage medium
Alambeigi et al. Identifying Deviations from Normal Driving Behavior
Okada et al. Development of gaze detection technology toward driver’s state estimation
JP2020090224A (en) Vehicle runaway prevention method and vehicle runaway prevention device
Roy et al. An IOT Based Alarm System in Car for Traffic, Alcohol and Drowsiness Detection and Accident Prevention
Chen et al. Investigation of the contributing factors of driver takeover time under conditional autonomous driving conditions

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

AS Assignment

Owner name: ROBERT BOSCH GMBH, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SUN, ASHTON;ZHANG, JINGYAO;GE, PENG;REEL/FRAME:063650/0595

Effective date: 20230506

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STCF Information on status: patent grant

Free format text: PATENTED CASE